From owner-freebsd-security  Tue Nov 25 14:46:48 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id OAA12419
          for security-outgoing; Tue, 25 Nov 1997 14:46:48 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from chris.acay.com.au (root@acay0272142.acay.com.au [203.27.214.2] (may be forged))
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA12393
          for <freebsd-security@freebsd.org>; Tue, 25 Nov 1997 14:46:39 -0800 (PST)
          (envelope-from warpy@suburbia.com.au)
Received: from typhoon (warpy@acay00713325.acay.com.au [203.7.133.25])
	by chris.acay.com.au (8.8.7/8.8.5) with SMTP id JAA04942
	for <freebsd-security@freebsd.org>; Wed, 26 Nov 1997 09:46:19 +1100
Date: Tue, 25 Nov 1997 09:58:56 +1100 (EST)
From: warpy <warpy@suburbia.com.au>
X-Sender: warpy@typhoon
Reply-To: warpy <warpy@suburbia.com.au>
To: freebsd-security@freebsd.org
Subject: Possible problem with ftpd 6.00
Message-ID: <Pine.BSF.3.96.971125094506.991A-100000@typhoon>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

This morning I noticed something I didn't think should be happening. That
being the password being used by an anonymous user logging into ftp 
showing up in the process list. However this did not happen when I logged
in as a normal user. Obviously there isn't much upon first glance that can
be done to exploit it (at least I think so), but does it need to occur at
all?

If this has been discussed before I apologise.

---

This is what happened:

typhoon:~$ uname -a
FreeBSD typhoon 2.2.5-STABLE FreeBSD 2.2.5-STABLE #0: Sun Nov 23 18:09:03 EST
1997	root@typhoon:/usr/src/sys/compile/TYPHOON  i386
typhoon:~$ ftp localhost 
465 Connected to localhost.  
220 typhoon FTP server (Version 6.00) ready.  
Name (localhost:warpy): ftp
331 Guest login ok, send your email address as password. 
Password: 
230 Guest login ok, access restrictions apply.
Remote system type is UNIX. 
Using binary mode to transfer files. 
ftp> ^Z
[2]+ Stopped ftp localhost 
typhoon:~$ ps -ax |grep ftpd |grep -v grep
951  ??  IWs    0:00.12 ftpd: localhost: anonymous/ftp@: SYST\r\n (ftpd)
typhoon:~$


typhoon:~$ ftp localhost  
Connected to localhost.  
220 typhoon FTP server (Version 6.00) ready.  
Name (localhost:warpy):  
331 Password required for warpy. 
Password:  
230 User warpy logged in. 
Remote system type is UNIX. 
Using binary mode to transfer files. 
ftp> ^Z
[1]+ Stopped
ftp localhost 465 typhoon:~$ ps -ax |grep ftpd |grep -v grep
951  ??  IWs    0:00.12 ftpd: localhost: warpy: SYST\r\n (ftpd)
typhoon:~$

Comments?

Warpy

+--------------------------------------------------------------------+
| http://www.sekurity.org/~warpy                                     |
| Key fingerprint = 02 78 30 F9 0A 73 15 24  A2 E4 B1 A0 F0 42 80 B0 |
+--------------------------------------------------------------------+